CryptoLocker Ransomware + CryptoPrevent Q&A

Corrine · October 13, 2013, 01:30:34 AM

To put it simply, CryptoLocker encrypts the files on the computer and holds them for ransom. There is only one private key available to unencrypt the public key and it is stored on a secret server with a time bomb set to destroy the key if the ransom isn't paid by the deadline. Depending on the version, the ransom is $100 to $300 with a deadline for payment of between ~72 to 100 hours.

Additional information an references are available in my blog post, CryptoLocker Ransomware.

Corrine · October 15, 2013, 09:12:22 PM

Due to the incorrect and vague information available on CryptoLocker, Grinler published a guide containing all the known information on CryptoLocker to this date.

CryptoLocker Ransomware Information Guide and FAQ

MikeW · October 22, 2013, 02:17:31 PM

Corrine, I see from the BC link that at present this is aimed at business networks. is it likely this will spread to home users and is there anything we should do to minimise the risk.

Corrine · October 22, 2013, 03:26:45 PM

Corporate networks are being targeted because there is a better chance of collecting the ransom in order to decrypt the files. Seeing as how malware writers sell their wares, it wouldn't surprise me to see a variant hit the general population. New variants are being installed via ZBot infections that install CryptoLocker through via spam emails and hacked websites. Even though the home users are currently not likely to receive the type of phishing attacks targeting corporations, they are not exempt from hacked websites.

The first step is ensuring that important files are backed up. Since you use Malwarebytes PRO, the likelihood of infection is significantly diminished via the malware execution prevention and blocking of malware sites and servers that it provides. Another option is Emsisoft Anti-Malware or Online Armor which use behavior blocking.

Malwarebytes: A license is currently a one-time fee of $24.95 for one computer.
See Cryptolocker Ransomware: What You Need To Know | Malwarebytes Unpacked and the related Stopping Malware Distribution at the Source | Malwarebytes Unpacked.

Emsisoft: A one-year license for one computer for either Emsisoft Anti-malware or Online Armor is $39.95. They also have "package" deals for both.
See CryptoLocker - a new ransomware variant | Emsisoft Blog

CryptoPrevent: Home users can also install CryptoPrevent.

Basil · October 22, 2013, 04:08:53 PM

Thank you Corrine,
I have just downloaded/installed CryptoPrevent. Despite the fact that I have MBAM PRO, this is a nasty infection that has been worrying me. I feel more relaxed now.... :thumbsup:

MikeW · October 22, 2013, 09:46:01 PM

Thanks Corrine

Corrine · October 23, 2013, 01:53:40 AM

Another update today:

QuoteUpdated the CryptoLocker guide to include updated info on the new Registry keys, updates to CryptoPrevent, and the message on the Command & Control Server.

Basil · October 23, 2013, 07:24:44 AM

Just updated. Thank you.

SpyDie · October 23, 2013, 03:51:21 PM

This has been incredibly well designed. It really does put emphasis on prevention is better than a cure.

Corrine · October 23, 2013, 06:53:02 PM

Quoteprevention is better than a cure

That's for certain!

Corrine · October 23, 2013, 11:47:31 PM

Update: CryptoLocker guide updated to fix issues with %Temp% SRP rules and info on known bitcoin payment wallet addresses.

Basil · October 24, 2013, 07:09:58 PM

New version 2.2.1 available

http://www.foolishit.com/vb6-projects/cryptoprevent/

Quotev2.2.1 – made changes to prevent duplicate rules from being created when protection is applied multiple times without undoing the protection first. No harm would come from the duplicate rules, but my OCD was bothering me.

Corrine · October 24, 2013, 10:53:51 PM

Thanks, Basil!

Interesting development: DNS Sinkhole campaign underway for CryptoLocker - News

Quote
A DNS sinkhole campaign is underway and in high gear to block computers infected with CryptoLocker from reaching the malware's Command & Control servers. A DNS sinkhole is a method used by security researchers to monitor Botnets and to block communication between an infected computer and its Command & Control server.

There are a couple of issues with the sinkhole. First, of course, would be those caught in the middle having paid the $300 ransom but still waiting for the key to decrypt their files. Another is that CryptoLocker will merely move on to another domain that isn't in the sinkhole.

At this time, it is unknown who is responsible for setting up the sinkhole.

Basil · October 25, 2013, 07:59:32 AM

Thank you Corrine !
Very interesting article. I had to do a bit of reading, to understand what a DNS Sinkhole is..... :goodie:

All this stuff is a bit above my pay grade.... :cheers:
To me, it starts sounding like the beginning of a new "Star Wars" type script ........ :thud:

Basil · October 28, 2013, 06:36:23 PM

Version 5, has an additional item which is not ticked by default:
"Temp Extracted Executables in Archive Files"

I don't fully understand its significance. Should I tick it?
Thank you